In cloud computing, keeping your data safe is super important. When you’re trying to control who can access Amazon RDS instances in private subnets, it can be a bit tricky. But in this blog post, we will show you a safe way to do it using AWS Systems Manager Session Manager. We’ll walk you through how to connect to your Amazon RDS instances safely and easily, all while ensuring your data and computer stay protected.
We’ll start by talking about the plan, what you need to get started, and the steps to follow. It will make connecting to your Amazon RDS instances feel like a breeze, and you won’t have to worry about your data and stuff getting into the wrong hands.
AWS Session Manager is a fully managed AWS Systems Manager capability that enables secure and auditable remote management of instances, including your database servers. It eliminates the need for SSH keys and manual configuration while providing fine-grained access control and session logging.
Amazon RDS, offered by AWS, is a fully managed and scalable database service that simplifies the setup and maintenance of various relational databases.
It’s a top choice for hosting relational databases in the cloud, making it essential for organizations needing a dependable and cost-effective database solution.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
With AWS Session Manager, you can enjoy the security advantages of a bastion host while operating within a private subnet—eliminating the need to open any ports—enabling direct connections to Amazon RDS from your workstation.
Furthermore, this solution eliminates the need for the cumbersome management of access to SSH/PEM keys, streamlining the process. Instead, AWS Identity and Access Management (IAM) can efficiently manage all access.
- AWS IAM Role with Policy “AmazonSSMManagedInstanceCore”
- Install the SSM agent in your Jump Server.
- AWS Session manager Plugin installed on your workstation.
- A GUI database toolset for this scenario, we will use MySQL Workbench.
- AWS CLI in the local System. (Use this link to install in your OS)
Step 1: Create an AWS IAM role for the System manager
- Create an AWS IAM role for the AWS Session Manager to work.
- In the “Trusted entity type” section, select “AWS service.”
- Choose “EC2” as the service or use case.
- Click “Next.”
- In the “Add permission” tab, select the “AmazonSSMManagedInstanceCore” policy.
- Click “Next.”
- Provide a name for the role.
- Click “Create Role.”
Step 2: AWS Session Manager plugin Installation
In this scenario, we use a Windows workstation as a local machine to install this plugin on a Windows station. If you have another OS, use this link for installation.
- Use this URL to Download the exe file from AWS for the Session Manager plugin.
- Now Click on the Downloaded exe file for installation and install it.
Step 3: Launch the Jump Server
- Go to the Amazon EC2 dashboard in the AWS console.
- Click on Launch instance.
- Give the name to the Jump Server and Select the AMI for the Jump server.
- Select the Instance type and choose the existing key file or create a new one.
- In Network Setting, select the Amazon VPC you want to specify any public subnet, and in Inbound rules, you can leave this part empty.
- Configure the Storage size as you need.
- In the advanced setting, select the AWS IAM role we created earlier.
- Click on Launch Instance.
Step 4: SSM agent Installation
To install the AWS Systems Manager Agent (SSM Agent) on your Amazon Linux 2023 machine, you can follow these steps (In our Scenario, we are using Amazon Linux 2023 as a jump server). If you have another OS, you can use this link to find steps to install the SSM agent :
- Connect to your Jump Server using AWS Session Manager or other methods.
- Go to System Manager and Select AWS Session Manager in the left panel.
- In AWS Session Manager, click on start session.
- Select your target instance here. It is a Jump server and click on start session.
- You will redirected to the web-based terminal of your instance.
- Check if the SSM agent is pre-installed or not. If not, follow the steps to install it. If it is up and running, then skip the installation part
sudo systemctl status amazon-SSM-agent
- Copy the command to run it on the instance to install it.
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
- Run the below command to verify that the SSM agent is running.
sudo systemctl status amazon-SSM-agent
You will get a similar output like this:
- If you get an output where the service is inactive:
To activate the agent, run the below command:
sudo systemctl enable amazon-SSM-agent
sudo systemctl daemon-reload && sudo systemctl restart amazon-SSM-agent
Step 5: Launch Amazon RDS in private Subnet
- In the Amazon RDS dashboard on AWS Console, click on Create Database
- Select the engine option according to your needs. We are using MySQL for this demo.
- Select Engine Version, we are using the latest version.
- We are using a free tier and single DB instance for the demo. You can choose any of the options as your requirement.
- Give Amazon RDS a username and password.
- In the Connectivity tab, select Amazon VPC and choose a private Subnet group.
- Select no in the Public access option.
- In Additional configuration, give the Initial database name.
- Now, Click on the Create Database button.
- Amazon RDS security Group allows inbound traffic on port 3306 from Jump server Security Group.
Step 6: Connecting to Amazon RDS
- Open the Command prompt on a Windows Workstation.
- Configure your AWS IAM profile by using the below command.
aws configure --profile RDS
- Now put the Access key, Secret Key, and Region on the filled.
- Run the below command to use Amazon RDS locally.
aws ssm start-session --region <your region> --target <your bastion instance id> --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters host="<your rds endpoint name>",portNumber="3306",localPortNumber="3306"
- You will see output like this on the Command prompt.
- Now open the MySQL workbench application and create a new connection.
- Here, we put the local host IP in Hostname and provided the port number where Amazon RDS is configured locally and username.
- Now click on the OK button, and it will ask for the password. Fill in the password, and your connection is successful.
In conclusion, this blog has unveiled a secure and efficient approach to accessing Amazon RDS instances in private subnets. By harnessing the power of AWS Systems Manager Session Manager, you can maintain the highest levels of data security while enabling seamless connectivity.
SSH/PEM key management has become a thing of the past, as all access is conveniently handled through AWS Identity and Access Management (IAM).
Following the steps outlined in this guide, you can confidently strike the perfect balance between data protection and accessibility, ensuring that your Amazon RDS instances remain secure while enabling efficient remote management and development.
Drop a query if you have any questions regarding AWS Systems Manager Session Manager and we will get back to you quickly.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, AWS EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
1. Is AWS Systems Manager Session Manager a suitable alternative to a traditional bastion host for connecting to Amazon RDS in a private subnet?
ANS: – No, AWS Systems Manager Session Manager is not a direct replacement for a traditional bastion host. While it eliminates the need to open additional ports and manage SSH/PEM keys, it serves a different purpose. AWS Session Manager is primarily designed for interactive shell access and does not provide the same level of control and customization as a bastion host. Depending on your specific use case and security requirements, you may still need a bastion host or similar access control mechanisms.
2. Is AWS Systems Manager Session Manager limited to connecting only to Amazon RDS instances?
ANS: – No, AWS Systems Manager Session Manager offers versatile connectivity. You can securely connect to various AWS resources, including Amazon EC2 instances, on-premises servers, and Amazon RDS instances. It simplifies remote access management and enhances security across various AWS services, making it a comprehensive tool for securely managing your infrastructure.
3. What advantages does AWS Systems Manager Session Manager offer over conventional remote access approaches for Amazon RDS?
ANS: – AWS Systems Manager Session Manager presents multiple benefits over traditional techniques like direct SSH or RDP access. It bolsters security by eliminating the necessity to expose Amazon RDS instances to the public internet or open extra ports. Moreover, it simplifies access management by centralizing control via AWS IAM, reducing administrative complexity. AWS Session Manager also allows access monitoring and audit trails, promoting adherence to security protocols and standards.
WRITTEN BY Naman Jain
Naman works as a Research Intern at CloudThat. With a deep passion for Cloud Technology, Naman is committed to staying at the forefront of advancements in the field. Throughout his time at CloudThat, Naman has demonstrated a keen understanding of cloud computing and security, leveraging his knowledge to help clients optimize their cloud infrastructure and protect their data. His expertise in AWS Cloud and security has made him an invaluable team member, and he is constantly learning and refining his skills to stay up to date with the latest trends and technologies.